<!DOCTYPE html>
<html>
<head>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="/security/contentSecurityPolicy/resources/cascade-helper.js"></script>
  <meta http-equiv="content-security-policy" content="img-src http://127.0.0.1:8000 http://example.test:8000">
</head>
<body>
<script>
  async_test(t => {
    assert_allowed_image_in_document(t, document, "http://127.0.0.1:8000/resources/square.png?top-level");
    assert_allowed_image_in_document(t, document, "http://example.test:8000/resources/square.png?top-level");
  }, "Policy applied in top-level.");

  async_test(t => {
    var w = window.open();
    w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>";
    assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blank-frame");
    assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blank-frame");
  }, "Image loaded via about:blank window blocked.");

  async_test(t => {
    var b = new Blob([], {type: "text/html"});
    var w = window.open(URL.createObjectURL(b));
    w.onload = _ => {
      w.document.head.innerHTML = "<meta http-equiv='content-security-policy' content='img-src http://127.0.0.1:8000'>";
      assert_allowed_image_in_document(t, w.document, "http://127.0.0.1:8000/resources/square.png?blob-frame");
      assert_blocked_image_in_document(t, w.document, "http://example.test:8000/resources/square.png?blob-frame");
    };
  }, "Image loaded via 'blob:' window blocked.");

  // filesystem URLs can no longer be window.open'ed.
</script>
</body>
</html>
